Interpretation Conflict Affecting fast-uri package, versions >=2.3.1 <3.1.3>=4.0.0 <4.0.1


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.27% (20th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-FASTURI-17675102
  • published29 Jun 2026
  • disclosed29 Jun 2026
  • creditChristopher Linke

Introduced: 29 Jun 2026

NewCVE-2026-13676  (opens in a new tab)
CWE-436  (opens in a new tab)

How to fix?

Upgrade fast-uri to version 3.1.3, 4.0.1 or higher.

Overview

fast-uri is a Dependency-free RFC 3986 URI toolbox

Affected versions of this package are vulnerable to Interpretation Conflict in its parse(), normalize(), and equal() functions, which call the nonexistent URL.domainToASCII() static method and silently swallow the resulting TypeError into parsed.error, leaving an internationalized hostname in its unconverted Unicode form. An attacker can steer host-based security policies to an unintended destination by supplying a URL with a Unicode or fullwidth hostname such as http://127。0。0。1/, which is parsed with the host left as 127。0。0。1 while Node's WHATWG URL parser and fetch() canonicalize it to 127.0.0.1. Exploitation requires the application to use this library for host-based decisions such as denylists, loopback filtering, or redirect and proxy validation before passing the URL to a downstream consumer that canonicalizes the host differently.

CVSS Base Scores

version 4.0
version 3.1